What Does CPCSC Cost? A Budgeting Guide for Small Canadian Defence Suppliers
A practical breakdown of what CPCSC Level 1 and Level 2 can cost a small Canadian defence supplier, including internal effort, tooling, remediation, outside help, and recurring upkeep.
By Nelson Ford - CMMC CCP / CISSP • • 11 min read Need Help With CMMC & CPCSC Compliance?
Our experts can help you implement these strategies in your organisation. Get a free consultation today.
CPCSC Level 1 Guide
Need the CPCSC Level 1 guide before budgeting?
Get the guide before you scope the work. It helps you compare Level 1 expectations, evidence needs, and the systems that may belong in your CPCSC boundary.
Get the CPCSC Level 1 Guide
What Does CPCSC Cost? A Budgeting Guide for Small Canadian Defence Suppliers
The first question most suppliers ask about the Canadian Program for Cyber Security Certification is not “which controls apply?”
It is: “What is this going to cost?”
That is the right question. CPCSC is a security requirement, but it is also a business decision. A supplier needs to know whether a defence opportunity is worth pursuing, what work needs to happen before contract award, and whether the organization is looking at a short readiness effort or a real security project.
The honest answer is that there is no single CPCSC cost. The number depends on the required level, the size of the environment, the quality of your existing security practices, and how tightly you can scope the systems that handle Specified Information.
For the short version, see How much does CPCSC cost?. This guide gives you the planning model behind the answer.
Start with the required CPCSC level
CPCSC has three levels, and the cost gap between them is large.
The Government of Canada CPCSC program overview describes Level 1 as an annual self-assessment against 13 controls. There is no external assessor fee for Level 1, so the cost is mostly internal effort, evidence collection, gap remediation, and any outside support you choose to bring in.
Level 2 is materially different. PSPC describes Level 2 as 98 controls with external assessment led by an accredited certification body, plus annual affirmation. The additional supplier guidance says Level 2 will require triannual external cyber security assessments by an accredited third party when Level 2 becomes available. That makes Level 2 a recurring program cost, not a one-time paperwork cost.
Level 3 is a higher category again. Current federal guidance describes it as 200 controls with Government of Canada assessment plus annual affirmation. This guide is focused on small suppliers planning for Level 1 or Level 2, so Level 3 is outside the budgeting ranges below.
Before you estimate anything, confirm which level the contract actually requires. CPCSC levels are applied contract by contract based on the sensitivity of the information and the cyber risk attached to the work. Do not assume every defence opportunity requires Level 2. Do not assume Level 1 is enough either.
For Level 1, Canada’s Level 1 supplier guidance says self-assessment is required at contract award, not during the bidding process. The same guidance also says suppliers bidding on, or working under, a defence contract that requires Level 1 must confirm their self-assessment result and expiry date in their CanadaBuys supplier profile. That means you should not leave readiness until the last minute.
The five CPCSC cost buckets
Whether you are preparing for Level 1 or Level 2, the total cost usually falls into five buckets.
Internal labour is the time your own people spend finding where Specified Information lives, gathering evidence, writing or updating policies, reviewing access, checking endpoint and cloud configurations, and supporting the assessment or self-assessment process. For a small supplier, this is often the hidden cost. It pulls technical and operational people away from billable work, production, delivery, or sales.
Tooling and licensing covers gaps in the platforms you use to operate controls. You may already have much of what you need through Microsoft 365, Google Workspace, endpoint management, cloud platforms, password managers, backup tools, or logging services. Common gaps include multi-factor authentication, endpoint protection, centralized logging, encrypted backup, mobile device management, conditional access, vulnerability management, and secure file storage.
Remediation is the work required to fix what the assessment finds. It might be as simple as turning on MFA for all users and documenting an access review process. It might be as involved as separating a flat network, rebuilding identity administration, moving sensitive project files into a controlled repository, removing shared admin accounts, or replacing unmanaged devices.
Outside help is optional for Level 1 and common for Level 2. Some suppliers can complete the Level 1 self-assessment themselves if they have strong internal IT and security capability. Others bring in help because they want a defensible scope, a clean evidence package, and a second set of eyes before they attest. For Level 2, outside readiness support is more common because the control set is larger and the external assessment has more consequence.
Recurring cost is the part teams forget. CPCSC is not a one-time document exercise. You need to maintain evidence, keep controls working, update users and assets, review access, preserve logs, refresh training, and be ready to support future affirmation or reassessment. Level 2 also carries the recurring external assessment cycle.
Planning ranges for small suppliers
The ranges below are Pilotcore planning ranges dated June 2026 for small Canadian suppliers that need to budget for CPCSC readiness. They are not official government fees and not quotes. They assume you can define the users, devices, systems, cloud services, facilities, and vendors that handle Specified Information. They exclude assessor fees, legal advice, major platform replacement, and work outside the confirmed CPCSC scope unless a row says otherwise.
For Level 1, a small supplier with reasonable existing security practices might budget:
| Cost area | Pilotcore planning range |
|---|---|
| Internal effort | 20 to 80 hours |
| Tooling gaps | $0 to $10,000 |
| Remediation | $2,500 to $25,000 |
| Outside readiness support | $6,000 to $25,000 |
| Ongoing annual maintenance | $2,500 to $15,000 |
At the low end, Level 1 may be a focused readiness exercise. The supplier already has MFA, managed endpoints, basic policies, backup, and a clear idea of where sensitive contract information will live.
At the high end, Level 1 becomes more of a cleanup project. The supplier may have unmanaged laptops, shared accounts, inconsistent backups, weak access control, no central evidence, and sensitive files spread across email, desktops, file shares, and cloud folders.
For Level 2, the range is much wider because there are 98 controls, external assessment, and a heavier evidence expectation.
| Cost area | Pilotcore planning range |
|---|---|
| Internal effort | 120 to 500+ hours |
| Tooling gaps | $10,000 to $75,000+ |
| Remediation | $25,000 to $250,000+ |
| Outside readiness support | $35,000 to $150,000+ |
| External assessment | Confirm with an accredited certification body |
| Ongoing annual maintenance | $15,000 to $75,000+ |
A small supplier with a well-managed Microsoft 365 environment, documented policies, managed devices, centralized logging, clear ownership, and a narrow Specified Information boundary may land toward the lower end.
A supplier with older on-premises systems, unmanaged endpoints, shared accounts, weak documentation, and sensitive information spread through the whole business can move quickly into a larger remediation program.
What drives CPCSC cost up?
The biggest cost driver is starting maturity.
If your organization already uses MFA, has named user accounts, manages endpoints, reviews access, backs up important systems, keeps basic logs, and has written security procedures, you are not starting from zero. Your cost is mostly scoping, evidence, cleanup, and control alignment.
If your organization has grown organically for years without formal IT governance, the work is different. CPCSC readiness may expose issues that were already there: unclear asset ownership, inconsistent patching, old servers, unmanaged laptops, personal devices, weak password practices, informal file sharing, and no reliable evidence trail.
The second major cost driver is scope.
CPCSC is about protecting Specified Information. The goal is not automatically to certify or assess every system in your company. The goal is to identify the systems, people, applications, networks, and facilities that store, process, or transmit the Specified Information tied to the contract.
A narrow, defensible scope is usually cheaper to secure and easier to maintain. A whole-company scope is sometimes necessary, but it should not be the default assumption. If Specified Information only needs to live in a controlled project workspace used by a defined group of employees, you may be able to avoid dragging unrelated systems into scope.
The third cost driver is evidence quality.
For Level 1, the word “self-assessment” can make the work sound lighter than it is. You are still making a formal attestation. You should be able to show why you believe each control is met. That means keeping records such as asset lists, user lists, access review notes, MFA screenshots, backup records, security policies, training records, endpoint protection status, and configuration evidence.
For Level 2, evidence matters even more because an external assessment body will review the implementation of the required controls. Weak evidence can turn a technically decent environment into a difficult assessment.
The fourth cost driver is whether your tools match the control requirements.
Many small suppliers already pay for platforms that can help. Microsoft 365 Business Premium, Entra ID, Intune, Defender, Azure, AWS, Google Workspace, managed endpoint tools, and backup platforms can all support parts of the control environment when configured properly.
Buying another tool is not always the answer. Sometimes the cheaper path is to configure what you already own, remove risky exceptions, and document the operating process. Other times, a tooling gap is real and needs to be fixed.
Example planning scenarios
A small engineering firm pursuing Level 1 with 25 employees, Microsoft 365 Business Premium, MFA already enabled, managed laptops, and a small defence project team might have a relatively contained effort. The work may focus on defining the Specified Information boundary, confirming account and device scope, cleaning up access, preparing evidence, and closing a few documentation gaps. A reasonable planning range might be $8,000 to $25,000 in outside support and remediation, plus internal time.
A 60-person manufacturer pursuing Level 1 but starting with unmanaged endpoints, informal file sharing, limited documentation, and no clear separation between commercial and defence project data may need more work. The organization may need endpoint management, better access control, backup review, policy work, user training, and a controlled workspace for Specified Information. A reasonable planning range might be $25,000 to $75,000+ once internal effort, tools, remediation, and outside support are included.
A supplier preparing for Level 2 should treat the effort as a program, not a checklist. The organization needs a defined scope, control ownership, evidence management, remediation planning, operating procedures, and preparation for external assessment. For a small but serious supplier, first-year Level 2 readiness can reach six figures, especially if the environment was not already managed with security and compliance in mind.
These examples are not quotes. They are budgeting scenarios. The right number for your organization depends on what is actually in scope.
How to keep CPCSC cost reasonable
The suppliers that control cost best are the ones that avoid unnecessary scope, fix the right gaps first, and keep evidence as they go.
Start by identifying where Specified Information will live. Which contracts? Which users? Which systems? Which cloud folders? Which endpoints? Which facilities? Which external providers? If the answer is “everywhere,” your cost will rise quickly.
Then define the smallest defensible boundary. This might be a controlled project workspace, a specific cloud tenant or environment, a limited group of users, a defined device set, and a clear process for keeping sensitive project information out of general business systems.
Next, deal with the high-impact basics. MFA, named accounts, least privilege, endpoint protection, backup, patching, logging, and access review are not just compliance items. They reduce real business risk.
After that, build the evidence package. Do not wait until the end and try to reconstruct what happened. Keep simple records as you go: diagrams, screenshots, lists, policies, meeting notes, configuration exports, training logs, and access review evidence.
Finally, avoid buying technology before you understand the gap. A new tool can help, but it can also add cost without solving the assessment problem. In many small environments, configuration, scope control, and evidence discipline matter more than another dashboard.
A practical way to budget
If you are a small supplier trying to estimate CPCSC cost, use this sequence:
- Confirm the required CPCSC level from the opportunity, RFP, contract clause, or customer direction.
- Identify what Specified Information you expect to handle.
- Map where that information will be stored, processed, transmitted, and accessed.
- List the users, devices, systems, cloud services, facilities, and third parties in scope.
- Compare the current environment against the required controls.
- Separate gaps into policy, evidence, configuration, tooling, and remediation.
- Estimate internal effort and outside support separately.
- Add recurring maintenance, not just first-year readiness.
That process will not give you a perfect number on day one. It will give you a realistic range and prevent the two most common mistakes: underestimating the effort, or overspending because the scope was never controlled.
Bottom line
For a small Canadian defence supplier, CPCSC Level 1 may be a manageable readiness exercise if the environment is already well run and the scope is narrow. It can become expensive if basic security practices are missing or Specified Information is allowed to spread through the whole company.
Level 2 is a larger commitment. It brings more controls, more evidence, external assessment, and recurring effort. Treat it as a business investment tied to the value of the defence opportunities you are pursuing.
The right question is not simply “what does CPCSC cost?”
The better question is: “What scope are we willing to operate, defend, and maintain?”
That answer drives the budget.
For practical next steps, compare this with the CPCSC Level 1 readiness guide, the CPCSC Level 2 guide, and the shorter answer page on how much CPCSC costs. If you need help scoping the work, see CPCSC compliance support or start with how long CPCSC preparation can take.
About the author
Nelson Ford - CMMC CCP / CISSP
- CISSP
- CMMC Certified Professional
Nelson Ford is the principal at Pilotcore, based in Ottawa. He is a CISSP and CMMC Certified Professional, and works with Canadian defence suppliers on CPCSC readiness and US contractors on CMMC. He writes Pilotcore's compliance and zero-trust commentary.
Common buyer questions
Frequently asked questions
How much does CPCSC Level 1 cost?
CPCSC Level 1 has no government assessor fee because it is an annual self-assessment. For a small supplier, the main costs are internal labour, evidence preparation, tooling gaps, remediation, outside readiness support if used, and annual maintenance.
Why does CPCSC Level 2 cost more than Level 1?
Government of Canada guidance describes Level 2 as 98 controls with triannual external cyber security assessment by an accredited certification body plus annual affirmation. That adds assessment cost, a larger evidence burden, and more ongoing preparation.
Are CPCSC cost ranges official government fees?
No. They are Pilotcore planning ranges dated June 2026 for small Canadian suppliers, not official government fees and not quotes. They assume a defined Specified Information scope and exclude assessor fees unless a row says otherwise.
What is the biggest way to reduce CPCSC cost?
Define the smallest defensible scope for Specified Information. A narrow, real boundary is cheaper to secure and easier to maintain than putting the whole company in scope by default.